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(S4) Title: A SECURE EMAIL DELIVERY SYSTEM 

^ (57) Abstract: A secure email deUvery system (1) acts as a relay between a client computer (2) using Web mail services on a mail 
server (4) and with the mail server (4). It thus handles incoming swd outgoing messages. A policy manager (74) determines a s«c«ri(y 

^ policy from a policy database (30) when an outgoing message is reoedved, Accotding to this policy, the message may be signed and 
encrypted trsui^wrently to the user. All le^stered users have a policy and the system cultures security data for communication with 
non-resgistered users when they reply to outgoing messages from registered users. 
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"A secure email delivery system" 

INTRODUCTION 
3 Field of the Invention 

The invention relates to delivery of secure email messages. 
Prior Art Discussion 

10 

It is well known that a major barrier to use of email for delivery of business and legal 
documents is the problem of ensuring security of messages and attached documents. 
This problem remains despite the fact that major advances in cryptography have 
been made in recent years. It api^ars that many people have not used the available 
1 5 key pair and digital signature systems becai^e there is a perception that they require 
excessive processor time and are difficult to use. 

The invention addresses this problem. 

20 SUMMARY OF T HE INVENTION 

According to the invention, there is provided a secure email delivery system 

comprising: 

25 a client-side interface comprising means for receiving outgomg messages from 

client devices operated by registered subscribers and for transmitting incoming 
messages to said client devices; 



a policy database storing a security poUcy for each of a plurality of registered 
30 subscribers; 
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a policy manager comprising means for accessing the policy database to 
determine a registered subscriber policy in real time and for delivering policy 
data to a requesting function in real time; 

a secure key database securely storing keys of registered subscribers and their 
addressees and a secure certificate database securely storing certificates of 

registered subscribers and their addressees; 

a signing function comprising means for receiving policy data from the policy 
manager and a registered subscriber private key from the key database and for 
dynamically signing an outgoing message received at the client-side interface; 

an encryption fiinction comprising means for receiving policy data from the 
policy manager and for dynamically encrypting an outgoing message in real 
time using an addressee public key retrieved from the certificate database; 

a decryption fiinction comprising means for automatically decrypting an 
incoming message in real time using the private key of the addressee 
registered subscriber retrieved from the key database; and 

a server-side interface comprising means for transmitting outgoing messages 
to a mail server after being processed, and for receiving incoming messages. 

In one embodiment, the policy database stores a policy for non-registered users who 
are addressees of mail from registered users, and the policy manager comprises 
means for determining policy data according to both a sender and a recipient of a 
message. 
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In one embodiment, the signing function comprises means for automatically signing 
an outgoing message in the absence of policy data for an addressee. 

In one embodiment, the ciient-side interface comprises an API for linking with hooks 
5 on a server. 

In one embodiment, the API comprises means for linking with hooks on an external 
mail server for generating Web mail under client instructions. 

10 In one embodiment, the policy manager is linked with the signing function, the 
encryption function, and with the decryption function by a cryptography API 
providing a real time bi-directional link and allowing modularity of the functions of 
each side of said API. 

15 In another embodiment, the signing function, the encryption function, and the 
decryption function comprise means for operating with use of a cryptography library 
of low-level cryptography processes. 

In one embodiment, the system further comprises a certificate manager and a key 
20 manager residing on the same side of the cryptography API as the signing, 
encryption and decryption ftjnctions. 

In another embodiment, the signing function, the encryption function, the decryption 
function, the certificate manager, and the key manager provide a programmed 
25 wrapper around the cryptography library. 

In one embodiment, the key database stores a policy as an instance of a plurality of 
datatype classes. 
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In one embodiment, the datatype classes include signing algorithm, encryption 
algorithm, signing policy, and decryption policy classes. 

In one embodiment, the key database stores a key pool in a directory having a 
5 configurable size with a threshold, and the database comprises means for 
replenishing keys when the level falls below the threshold. 

In another embodiment, a management console comprises means for editing data in 
the policy database. 

10 

In one embodiment, the management console comprises means for retrieving a 
policy from the policy database as a model and for retrieving a certificate from the 
key database as a model. 

15 In one embodiment, the management console comprises a controller comprising 
means for treating each business operation as an objectorientated class instance. 

In another embodiment, the controller comprises means for receiving a command 
string, parsing the string into a hash table, instantiating a class instance and setting 
20 properties and a name for the instance, and initiahsing the instance. 

In one embodiment, the policy database stores group policies, each associated with a 
group of registered subscribers. 

25 In another embodiment, the pohcy database stores default policies. 

In one embodiment, the certificate manager comprises means for automatically 
stripping certificates from incoming messages and storing them in the certificate 
database for subsequent use. 



30 
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According to another aspect, the invention provides a secure email delivery system 
comprising; 

a client-side interface comprising means for receiving outgoing messages from 
client devices operated by registered subscribers and for transmitting incoming 
messages to said client devices; 

a policy database storing a security policy for each of a plurality of registered 
subscribers; 

a policy manager comprising means for accessing the policy database to 
determine a subscriber policy in real time and for delivering policy data to a 
requesting function in real time; 

a secure key database securely storing keys of registered subscribers and their 
addressees and a secure certificate database securely storing certificates of 
registered subscribers and their addressees; 

a signing function comprising means for receiving policy data from the policy 
manager and a subscriber private key from the key database and for 
dynamically signing an outgoing message received at the client-side interface; 

an encryption fiinction comprising means for receiving policy data from the 
policy manager and for dynamically encrypting an outgoing message in real 
time using an addressee public key retrieved from the certificate database; 

a decryption fiinction comprising means for automatically decrypting an 
incoming message in real time using the private key of the addressee refrieved 
from the key database; and 
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a server-side interface comprising means for transmitting outgoing messages 
to a mail server after being processed, and for receiving incoming messages; 
and wherein: 

5 the pohcy manager is linked with the signing fiinction, the encryption 

function, and with the decryption function by a cryptography API providing a 
real time bi-directional link and allovraig modularity of the functions on each 
side of said API, 

10 the signing ftinction, the encryption function, and the decryption function 

comprises means for operating with use of a cryptography library of low-level 
cryptography processes, and 

the system further comprises a key manager and a certificate manager residing 
15 on the same side of the API as said signing, encryption, and decryption 

functions, and said functions, the key manger, and the certificate manager 
together provide a wrapper around said cryptography library. 

DETAILED DESCRIPTION OF THE INVENTION 

20 

Brief D^SffipttQP Qf the Drawings 

The invention will be more clearly understood from the following description of 
some embodiments thereof given by way of example only with reference to the 
25 accompanying drawings, in which: 

Fig. 1 is a high level diagram showing interaction of a security relay of the 
invention with a client computer and with a mail server; 
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Fig. 2 is a diagram showing interaction between the client computer and the 
security relay in more detail; 

Fig. 3 is a diagram showing the security relay in more detail; 

5 

Figs. 4 and 5 are diagrams showing parts of the relay in more detail; and 
Fig, 6 is a flow diagram illustrating operation of the relay in more detail. 

1 0 Description of the Ein bodiments 

Referring to Fig. 1 , a secure email delivery system 1 interfaces with a client computer 
2 over a secure HTTP socket layer (SSL) connection 3. It also interfaces with a local 
mail server 4 via APIs using a HTTP SSL link 5. The mail server 4 sends and 
1 5 receives messages over the Internet 6. Because the system 1 effectively operates as a 
relay between the client and server, it is henceforth called a" security relay" or 
"relay". 

The client computer 2 is conventional insofar as it only needs to have a messaging 
20 application or browser which supports a portable code environment such as a Java 
Virtual Machine^" environment. The computer 2 is operated by a registered 
subscriber, also referred to as a "user". The mail server is a conventional mail server 
for an ISP. In this embodiment, the relay 1 resides on the same platform as the mail 
server 4. 

25 

Referring to Fig. 2, the client computer 2 interfaces with a Web server 10 hosting the 
mail server 4 and the relay 1. The client computer 2 runs a browser 11 having a 
portable code interpreter which allows execution of plug-ins 12, The Web server 10 
allows the client computer 2 to communicate with the mail server 4 to create "Web 
30 mail" messages while on-line. The server 4 then sends the messages to the recipients 
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and receives the incoming messages in a mailbox for the user. The user then 
subsequently retrieves the messages. The security relay transparently to the user 
performs a set of desired security operations for both incoming and outgoing 
messages and so it may be regarded as conceptually residing between the client 
5 computer 2 and the mail server 4. However, the physical interconnection is via APIs 
between the mail server 4 and the relay 1 , this channel transmitting: 

(a) outgoing messages from the mail server 4 to the relay 1 and security- 
processed outgoing messages back to the mail server 4 for onward 

1 0 transmission to the recipient, and 

(b) incoming messages from the mail server 4 and security-processed 
incoming message back to the mail server 4 for onward transmission to 
the client computer 2. 

15 

A key feature is that the relay 1 handles all cryptography and digital signature 
operations for the client 2. These operations, are carried out transparently to the user 
and require no input from him or her. Thus a user only needs to subscribe to the 
security service provided by an organisation hosting the relay 1. Such an 
20 organisation may be any ISP or ASP, as the Internet is of course the major insecure 
network in use. Thus the (real or perceived) problem of setting up 
encryption/ decryption functionality is taken from the user. He or she only needs to 
send and receive email messages in the usual manner. The following is a typical 
message sequence: 

25 

User X (of computer 2) sends a message to a remote user Y. This is created 
over the secure socket 3 by the client computer 2 and the mail server 4. 

The message is routed to Y via the relay 1. This is not encrypted, but is 
30 signed automatically by the relay 1 on behalf of X. 
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If y responds, the relay 1 captures Y's certificate on the return path. From 
then on the relay 1 will automatically encrypt and sign all outgoing messages 
to Y. and also decrypt all incoming messages. 

5 

Thus, the user X has a secure bi-directional link with Y without the need to bother 
with any cryptography operations. 

Because the relay] interfaces with an existing mail server 4, it is particularly 
10 convenient for the ISP or ASP hosting it. The relay 1 can be added in a modular 
manner. 

Referring now to Fig. 3 the relay 1 is shown in more detail. It interfaces on the 
server side with (a) an SMTP delivery module 20 and an SMTP server 21 for sending 
15 messages, and (b) with an IMAP/P0P3 mail server 22 and an IMAP/P0P3 
retriever 23 for receiving messages. This interfacing is via APIs executing on the 
platform which hosts the relay 1 and the mail server 4 as applications. 

A security policy database 30 allows the relay 1 to provide the security required by 
20 users according to policies set by a system administrator. This database is managed 
by a management console function 31 . 

A user authentication module 35 uses the database 30 to dynamically perform 
authentication of subscribed users. A client side interface API function block 41 

25 receives messages via the client plug-ins 12. 

The messages are passed to encryption functions 37 which perform encryption and 
digital signing according to the policies for the users and addressees retrieved from 
the database 30. As described above, if the addressee is being addressed for the first 
30 time there is digital signing by default, however the outgoing message can not be 
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encrypted. However, once a reply is received from the addressee his or her certificate 
is stored in the database 30 and there will be encryption/decryption from then on. 

Messages are retrieved from the retriever 23 and are decrypted where applicable and 
5 the signature is authenticated by functions 38 using the database 30. The header 
(sender, subject, date) is passed to the client computer 2 for display (after decryption) 
if it is selected by the user. 

In more detail, referring to Fig. 4 the policy database 30 and the management 
10 console 31 are illustrated. They may be together referred to as an administrative 
framework. The framework follows the MVC (Model-View-Controller) design 
pattern, allowing the management presentation interface to be completely decoupled 
from the logic. Each retrieved policy is represented as a JavaBean model 53 and 
each retrieved certificate is represented as a model 54. A certificate interface 56 is 
15 linked with a certificate/key database 90, shown in Fig. 5. A view interface 50 uses 
HTML with embedded JSP tags 51 . Post/ get control is implemented by a set of Java 
servlets 52. 

Referring to Fig. 5, the fiinctions 37 and 38 are illustrated in detail. A Java 
20 cryptography API 75 is linked with a policy manager 74 and it has a HTTP client 76 
linked with: 

a fast Common Gateway Interface (CGI) cryptography server 77 
programmed in C++, 
25 a S/MIME C++ cryptography ftinction 78. 

a certificate manager 79 programmed in C++, 
a key manager 80 programmed in C++, and 

a cryptography library 81 having access to a certificate/key database 90. 



30 The interface 41 comprises: 
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an API 71, 

a HTTP client 72 programmed in native Java, and 
an APlservIet 73, and 

5 In more detail, the management console 31 provides graphical user interfaces for 
input and display of user information, security policies, and certification 
management, The view interface 50 is the console firont end and the screens are 
displayed using HTML and JSP. The JSP tags 51 are used to interface between the 
screens and Java ode for the purposes of displaying derived data that is calculated or 

10 changes during the lifetime of the relay 1 . The controller servlets provide the derived 
data to the JSP tags. The security policy model 53 is a Javabean which drives the 
data for the security policy screens. Likewise, the certificate model 54 is a Java bean 
which drives data for certificate management screens. The fimction 55 provides 
access to the database 30 for persistent data on policies using the Java standard 

15 JDBC. The certificate interface interacts with the key database 90 to retrieve 
certificate data for the management console 31. Access to the database 90 is via the 
cryptography library 81 , described in more detail below. 

Referring again to Fig. 5, the functions which perform the core cryptography 
20 operations are now described in detail. The mail server 4 shown in Fig. 1 includes a 
client 70 which accesses the relay 1 via the client interface 10. In this example, the 
client of the server 4 is written in Perl/PHP. The client of the server calls the API 71 
of the block 41 and the HTTP client 72 provides a mechanism for the client hooks 70 
to communicate with the relay 1. This mechanism involves use of the API servlet 73 
25 for server-side processing. 

The policy manager 74 determines what secunr>' policies should be applied to an 
email being received or sent. It does this by communicating with the function 55, 
which extracts information from the database 30. 
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The cryptography API 75 is an interface which provides a real time bi-directional 
link and allows Java code to call C++ cryptography code. The cryptography API 
client 76 allows the cryptography library 81 to be distributed on a different hardware 
platform for fault tolerance, versatility, and performance. The Fast CGI server 77 is 
5 the server side of the cryptography API 75. 

The component 78 provides S/MIME cryptography functionality for signing, 
encryption, and decryption. The component 79 provides certificate management 
functionality, and the component 80 provides key pool management functionality. 
1 0 These components interact with the key database 90, and use cryptography processes 
of the library 81. The library 81 implements low-level cryptography algorithms and 
key generation routines. The components 78, 79, and 80 provide a C++ wrapper 
around the low-level C library 81. 

15 In the architecture illustrated in Fig. 4, the controller 52 manages the flow of control 
for its operations by receiving a CGI command for instantiating business logic, and 
each business logic instance is a Java bean class instance. The control flow is as 
follows: 

20 Taking the command string from the CGI variables, 

Parsing the string into a hash table, 

Instantiating a bean using introspection and the command string, 
Setting the bean properties from the name, value pairs in the hash table, 

Calling inttO on the bean, and 
25 Pushing the data into the view for display. 

The policy database 30 stores policies in which a policy consists of one instance of 
each of the following data type classes: 

30 Security policy scope, 
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Signing algorithm, 
Encryption algorithm, 
Signing policy, 
Encryption policy 

5 

The relay 1 automatically captures security data for non-registered users when they 
reply to an outgoing message from a registered user. This is achieved by the 
certificate cryptography function 78 stripping off the certificate from a signed 
message and storing the certificates in the database 90. 

10 

The key pool database 90 is structured to have minimal impact on performance of 
the relay 1 as generation of key pairs is processor-intensive. The key pool directory 
size is configurable by the user, and a threshold is set for the directory and when the 
number of keys falls below that level they are replenished. The key pool is 
15 replenished with anonymous key pairs, but these are still fiiUy usable keys sets. The 
key sets are made usable by the generation of certificates and this happens on 
demand. A daemon is used to monitor key pool threshold levels, and message 
queues are used to communicate between the controller and the key pool code. 

20 Referring now to Fig. 6 operation of the relay 1 is described. The client computer 2 
generates an email using Web server functions 10 and this is processed by the 
module 37. The plug-ins 12 allow the client computer 2 to route the email to the 
relay 1 via the mail server Web mail functionality. This is a very effective 
mechanism for integration of the relay 1 with a mail server 4 in a modular manner, 

25 With an open API any subscriber or administrative user can interface with the relay 
1 by implementing a plug-in 12 so that its code interacts with the API 41, 

In the module 37, the security policy is determined based on the "fi-om" and "to" 
addresses in the message. The security policy consists of: 
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Digital Signature Policy 
Do not sign 
Clear-sign 
Opaque sign 

Digest Algorithm 

Encryption policy 

Do not encrypt 
Encrypt 

(Symmetric) encryption algorithm. 

The policy manager 74 accesses the policy database 30 to get policies for the senders 
and receivers of messages. Each policy contains a "from" and a "to" field. Some 
policies contain wildcards to allow setting of policies for groups. The relay 1 has 
default policies, and these can be changed by the system administrator. The policies 
contain the signing and encryption polices and algorithms. 

The key manager 80 then obtains access to the sender's private key from the database 
90. This is secure because the keys are stored in the pkc #15 secure storage format. 

The S/MIME component 78 then constructs an S/MIME signed message including 
the digital certificate chain associated with the signing key in the message. 
Encryption is of course by-passed if the policy does not indicate a requirement for 
encryption. 

If the policy requires encryption, the certificate manager 79 retrieves the recipient 
certificate from the certificate database. The S/MIME component 78 then constructs 
an S/MEVfE encrypted message. The message is encrypted using a randomly- 
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generated symmetric session key, and the session key is encrypted using the 
recipient's pubUc key, These cryptography operations are performed by an algorithm 
selected from the library 81. The structure of the library is as follows:- 



5 key and certificate generation 

key and certificate management, and 
S/MIME capabilities. 



The S/MIME message is then transmitted. 

10 

An incoming message is received by the functions 71, 72, 75, 76, 77, and 78. There 
is no involvement of policies for incoming messages and the messages are decrypted 
by the S/MIME component 78 and the library 81. 

1 5 It win be appreciated that the invention provides for veiy effective security processing 
of messages in a manner which is modular on the Web server hosted by the ISP or 
ASP and is transparent to the subscriber. Also, the policy database allows excellent 
versatility in choice of options by subscribers. The structure of the functions allows 
excellent versatility for deployment of resources such as the low-level cryptography 

20 algorithms. Also, the administrative fl:amework comprising the management 
(X)nsole 31 and the policy database 31 allows simple and effective real time 
configuration by administrative personnel of the host organisation. 

The invention is not limited to the embodiments described but may be varied in 
25 construction and detail. 
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1 . A secure email delivery system (1) comprising: 

a client-side interface (41) comprising means for receiving outgoing messages 
from client devices operated by registered subscriber and for transmitting 
incoming messages to said client devices; 

a policy database (30) storing a security policy for each of a plurality of 

registered subscribers; 

a policy manager (74) comprising means for accessing the policy database 
(30) to determine a registered subsaiber policy in real time and for delivering 
policy data to a requesting function in real time; 

a secure key database (90) securely storing keys of registered subscribers and 
their addressees and a secure certificate database (90) securely storing 
certificates of registered subscribers and their addressees; 

a signing function (78) comprising means for receiving policy data from the 
policy manager (74) and a registered subscriber private key from the key 
database (90) and for dynamically signing an outgoing message received at 
the client-side interface; 

an encryption ftinccion (78) comprising means for receiving policy data from 
the policy manager (74) and for dynamically encrypting an outgoing message 
in real time using an addressee public key retrieved from the certificate 
database; 
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a decryption function (78) comprising means for automatically decrypting an 
incoming message in real time using the private key of the addressee 
registered subscriber retrieved from the key database (90); and 

5 a server-side interface (71-73) comprising means for transmitting outgoing 

messages to a mail server after being processed, and for receiving incoming 
messages. 

2. A system as claimed in claim 1, wherein the pohcy database (30) stores a 
10 policy for non-registered users who are addressees of mail from registered 

users, and the policy manager (74) comprises means for determining policy 
data according to both a sender and a recipient of a message. 

3. A system as claimed in claim 2, wherein the signing function (78) comprises 
1 5 means for automatically signing an outgoing message in the absence of policy 

data for an addressee. 

4. A system as claimed in any preceding claim, v(?herein the dient-side interface 
comprises an API (71-73) for linking with hooks on a server. 

20 

5. A system as claimed in daim 4, wherein the API (71-73) comprises means for 
linking with hooks on an external mail server for generating Web mail under 

client instructions. 

25 6. A system as claimed in any preceding claim, wherein the policy manager (74) 
is linked with the signing ftmction (78), the encryption function (78), and with 
the decryption function (78) by a cryptography API providing a real time bi- 
directional link and allowing modularity of the functions of each side of said 
API. 



30 
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7. A system as claimed in any preceding claim, wherein the signing function 
(78), the encryption function (78), and the decryption function (78) comprise 
means for operating with use of a cryptography library (81) of low-level 
cryptography processes. 

8. A system as claimed in claim 6 or 7, wherein the system fiirther comprises a 

certificate manager and a key manager residing on the same side of the 
cryptography API as the signing, encryption and decryption functions. 

9. A system as claimed in claim 8, wherein the signing function, the encryption 
function, the decryption fiinction, the certificate manager, and the key 
manager provide a programmed wrapper around the cryptography library. 

10. A system as claimed in any preceding claim, wherein the key database (90) 
stores a jxjlicy as an instance of a pltwality of datatype classes. 

11. A system as daimed in claim 10, wherein the datatype classes include signing 
algorithm, encryption algorithm, signing policy, and decryption policy 
classes. 

12. A system as claimed in claim 11, wherein the key database (30) stores a key 
pool in a directory having a configurable size with a threshold, and the 
database comprises means for replenishing keys when the level falls below the 
threshold. 

13. A system as claimed in any preceding claim, further comprising a 
management console (31) comprising means for editing data in the policy 
database. 
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14. A system as claimed in daim 13, wherein the management console (31) 
comprises means for retrieving a policy from the policy database as a model 
and for retrieving a certificate from the key database as a model. 

15. A system as claimed in claim 14, wherein the management console (31) 
comprises a controller (52) comprising means for treating each business 
operation as an object-orientated class instance. 

16. A system as claimed in claim 15, wherein the controller (52) comprises means 
for receiving a command string, parsing the string into a hash table, 
instantiating a class instance and setting properties and a name for the 
instance, and initialising the instance. 

17. A system as claimed in any preceding claim, wherein the policy database (30) 
stores group policies, each associated with a group of registered subscribers. 

18. A system as claimed in any preceding daim, wherein the policy database 
stores default policies. 

19. A system as claimed in any of claims 8 to 18, wherein the certificate manager 
comprises means for automatically stripping certificates from incoming 
messages and storing them in the certificate database for subsequent use. 

20. A secure email delivery system (1) comprising; 

a client-side interface (41) comprising means for receiving outgoing messages 
from client devices operated by registered subscribers and for transmitting 
incoming messages to said client devices; 
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a policy database (30) storing a security policy for each of a plurality of 
registered subscribers; 

a policy manager (74) comprising means for accessing the policy database 
(30) to determine a subscriber policy in real time and for delivering policy 
data to a requesting function in real time; 

a secure key database (90) securely storing keys of registered subscribers and 
their addressees and a secure certificate database (90) securely storing 
certificates of registered subscribers and their addressees; 

a signing function (78) comprising means for receiving policy data irom the 
policy manager (74) and a subscriber private key from the key database (90) 
and for dynamically signing an outgoing message received at the client-side 
interface; 

an encryption function (78) comprising means for receiving policy data from 
the policy manager (74) and for dynamically encrypting an outgoing message 
in real time using an addressee public key retrieved from the certificate 
database; 

a decryption function (78) comprising means for automatically decrypting an 
incoming message in real time using the private key of the addressee retrieved 
from the key database (90); and 

a server-side interface (71-73) comprising means for transmitting outgoing 
messages to a mail server after being processed, and for receiving incoming 
messages; and wherein; 
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the policy manager (74) is linked with the signing function (78), the 
encryption fiinction (78), and with the decryption function (78) by a 
cryptography API providing a real time bi-directional link and allowing 
modularity of the functions on each side of said API, 

5 

the signing function (78), the encryption function (78), and the decryption 
function (78) comprises means for operating with use of a cryptography 
hbrary (81) of low-level cryptography processes, and 

10 the system further comprises a key manager (80) and a certificate manager 

(79) residing on the same side of the API as said signing, encryption, and 
decryption functions, and said functions, the key manger, and the certificate 
manager together provide a wrapper around said cryptography library. 

15 21. A computer program product comprising software code portions for 
completing a secure email delivery system as claimed in claim 1 when 
executing on a digital computer. 
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